Single Sign-On

Single sign-on (SSO) allows users to use a single login across multiple enterprise applications. The Single Sign-On feature allows your team to sign in using your existing identity provider instead of an Invoiced username and password.

Within your identity provider follow these instructions:

1. Create a new SAML 2.0 application in your identity provider for Invoiced.
2. Enter in the below for the service URL: https://invoiced.com/auth/sso/sp/acs
3. Set the Audience field to invoiced.
4. Set the NameID field to the email address.

Now go to the Invoiced application:

1. Go to Settings → Team → SSO. If you do not see the SSO tab then contact Invoiced Support to have it enabled.
2. Click on the Enable SSO toggle.
3. Copy the certificate from the identity provider and paste it into the X.509 Certificate field.
4. Copy over the Issuer URL into the Identity Provider Identifier or Issuer URL field.
5. Copy over the Single Sign-On URL into the Identity Provider Single Sign-On URL field.

Once SSO is properly configured, users can click the Login with SSO button on the login screen or go here. The user will be required to enter in their email address. Assuming there is a match the user will then be signed in through their identity provider

Alternatively, instead of using the Invoiced login form, you can sign in from your Identity Provider using a feature known as Identity Provider-Initiated Sign In.

When using Single Sign-On on Invoiced, it is important to know these limitations and features that are not supported.

• You can only use an email domain (eg. @example.com) with a single tenant.
• We do not currently support mandating that single sign-on is the only supported sign in mechanism. Users will still be able to sign in with username and password.
• Just-In-Time (JIT) user provisioning is not supported. New users must also be added to Settings → Team → Users.
• Single Log Out (SLO) is not supported.
• System for Cross-domain Identity Management (SCIM) is not supported.